Password Manager is a Citrix product that allows users to have the password system fully automated, also known by the Citrix single sign-on name. We can allow:

– Automatic logon: On local or remote computers, on websites or in any type of application that require credentials, whether to custom applications. Anything that requires a password, the user stores it using Citrix Password Manager and will never be asked for a password again, Credentials will be automatically entered.
– Transparent password change: This is, When an app requires the user to change their password (x example why it expires) Citrix Password Manager can automatically generate a complex password that the user does not even have to know and will be automatically stored in Password Manager for later use.
– Account Self-Service: Los usuarios pueden debloquear sus cuentas de usuarios que tengan bloqueadas o cambiar sus contraseñas de una forma fácil, todo ello mediante una seguridad extra que puede ser la de ciertas preguntas de seguridad.
– Hot Desktop o Escritorio Activo: que permite iniciar/finalizar sesión en segundos y eliminar las cuentas de inicio de sesión genéricas de usuarios en entornos de estaciones de trabajo compartidas

Instalación del servidor Citrix Password Manager – HERE
Configuración del servidor Citrix Password Manager – HERE
Instalación y configuración del cliente de Citrix Password Manager (Agent) – HERE

GOOD, We need to install and configure the Citrix Password Manager server on a server to store users' passwords, and we will deploy a Citrix Password Manager agent or client on users' PCs or on Citrix Presentation Servers., where users run their applications and we want their passwords to be saved.

Instalación del servidor Citrix Password Manager,

GOOD, first of all we need to install the central vault on a server, which will be where all users' information is stored. This vault can be stored in Active Directory, on an NTFS resource or a Novell shared folder, in this example, we will store it in AD, so beforehand, we will need to extend the AD schema. Subsequently, Once we have a store created, we will need to install the Password Manager service and its administration console, Citrix Password Manager Console.

A license server will be required, I will not install it in this document as it is a standard license server in Citrix environments, You will need to download the corresponding .lic and load it onto the license server.

GOOD, We begin with the installation, The first thing is to create the central store to save users' password information, Insert CD2 of Citrix Presentation Server 4.5 and select “Step 2: Create your central store.”

We select the type of store we want to create, Where we will securely store users' passwords, In my case I choose “Create your central store in the Active Directory domain”, but to create the store in the domain we need to follow these steps on a domain controller, since first we have to extend the schema from it and then install the store on a domain controller.

So before we create the store we must extend the Active Directory schema, So we click on “Step 1: Extend the Active Directory schema for the new directory objects”,

We confirm that there is a schema master in our AD, this server is a domain controller, and the user we are using for the installation is a schema administrator. If all this is correct, we click on “Yes”,

GOOD, the schema preparation script runs (“ctxschemaprep.exe”) And wait for it to end, después pulsamos cualquier tecla,

Una vez extendido el esquema, desde el mismo controlador de dominio crearemos el almacén para almacenar los passwords, Select “Step 2: Cree su almacén central en el esquema extendido”,

Debemos confirmar que este servidor es un controlador de dominio y que el usuario actual es un usuario perteneciente al grupo administradores de dominio, “Yes”,

Esperamos mientras se crea el contenedor del almacén central… pulsamos una tecla una vez que finalice correctamente,

GOOD, una vez creado el almacén central ahora debemos instalar el servicio de Citrix Password Manager y después, la consola de administración. Así que en el menú de instalación seleccionamos “Step 3: Instale los componentes administrativos”,

GOOD, Select “Step 2: Instale Password Manager Service” para instalar lo que es el servicio, the one who will run Password Manager, this will be on the server where we want its service to run, it does not have to be a domain controller anymore, any server for such a function.

Start the wizard, “Following” begin with,

We accept the license “I accept the license agreement” & “Following”,

We select what we want to install, Key management (so that users can authenticate quickly, without having to answer security questions or provide their previous password), Data integrity (it is the protection mechanism used by the agent to prevent configuration data stored in the central repository from being tampered with), Supply (allows adding, removing or updating user credentials from the console), Self-service (enables users to easily reset passwords and unlock accounts, so they don't call us!), Credential synchronization (Acción que realiza el agente/cliente para garantizar que las credenciales y parámetros de administración almacenados localmente/en el PC coinciden con las del almacén central) e Idiomas (Simply, para que las preguntas se las haga al usuario en el idioma que tenga en su PC, serían: Spanish, English, French, alemán y japonés),

Seleccionamos los componentes que nos interese, los marcamos y “Following”,

Ok, preparados para instalar el agente, Click on “Install” para comenzar ya con la instalación,

… We wait while you install…

OK, perfect, ya tenemos Citrix Password Manager Service instalado, “End”,

Ahora lo que debemos instalar es la consola de administración, una Access Console, Select “Step 3: Instale Password Manager Console”,

“Following” para comenzar con la instalación de la consola,

Aceptamos la licencia marcando “I accept the license agreement” & “Following”,

Seleccionamos qué componentes queremos instalar, en principio todos (Console, Herramientas de definición de aplicaciones, Administración del servidor de licencias y Access Management Console – Diagnósticos), “Following”,

… esperamos mientras se instala la consola…

Ok, consola instalada, “End”,

Ahora lo que queda es instalar un certificado de servidor en el servidor que tenga Password Manager Service, ya que se debe cifrar la conexión entre este, el almacén y los agentes. Y firmaremos el almacén central con él. Así que ya que tengo una entidad emisora de certificados, solicitaré un certificado para firmar mi almacén, nos conectamos a la CA y pedimos un certificado desde “a”.

Select “solicitud avanzada de certificado”,

Select “Crear y enviar una solicitid a esta CA”,

Seleccionamos la plantilla de certificado como “Servidor Web”, rellenamos el resto de campos, y lo enviamos a la entidad emisora de certificados para generar este certificado. “Send”,

We say that “Yes” to generate the new certificate,

And we install it on the server that has the Citrix Password Manager Service, Click on “Install this certificate”,

“Yes” to install it,

Ok,

What we have to do now is sign the central store with this certificate, by running the following command inside the directory “C:Program FilesCitrixMetaframe Password ManagerServiceSigningTool”:
CtxSignData.exe -s SERVER_PASSWORD_MANAGER_SERVICE/MPMService CERTIFICATE DC_SERVER TYPE (AD/NTFS/Novell)

Configuración del servidor Citrix Password Manager,

GOOD, once the Password Manager Service is installed, we must configure it from the console “Access Management Console”,

If it’s the first time we open it, we will have to run the discovery… We execute it, “Following”,

We select the products that we are going to discover and configure, it will be both, “Configuration Tools” and “Password Manager”, “Following”,

We specify which is our central store, in this case it was AD, So we dial “Active Directory” and select “Any domain controller that can be written to” & “Following”,

How we have marked the component installation “Data integrity” (which is the protection mechanism the agent uses to prevent manipulation of the configuration data stored in the central repository), so we need to enter the server path in the following format: https://SERVER/MPMService and the service port, which by default will be 443tcp. “Following”,

We check that all the information is correct and “Following”,

We wait for the discovery process to complete… and we scored “Close the wizard once the discovery has successfully finished”.

What we need to do now is configure PM, for this, first we will create a configuration that we will apply to the users we are interested in, I will create one that applies to all domain users so that the Agent/Client works correctly. So about “Citrix Resources” > “Password Manager” > “User settings” and right-click select “Add new user setting”.

From this console we could configure certain applications for users from “Application definitions” or create domain-level security policies for password complexity…

We give you a name, Since this will be a generic setting for all users and nothing special, I will call it 'Domain Users Configuration'’ and I will add it to the group of users I want to be able to use their Password Manager Agent, so from “Add…” I will add it to the group I am interested in, in my case 'Domain Users'. “Following”,

We select our product edition, In my case it is a “Password Manager Enterprise”, “Following”,

When we want the clients' agents' passwords to sync with the central store, Since it is an Active Directory type store, it will connect to the domain controller server we want, We can leave “Any domain controller that can be written to” & “Following”,

We can add application groups for these users if we want, Initially, I won't add any type of application and the agent can be used in all applications. “Following”,

These are the settings we will allow users to make with the Agent, Can:
– Allow users to reveal passwords and Require authentication before revealing the user's passwords.
– Permitir que los usuarios pongan en pausa al Agente.
– Notificar al usuario cuando falle la sincronización del Agente.
– Detectar automátcamente las aplicaciones y pedirle al usuario que almacene las credenciales. IMPORTANT
– Procesar automáticamente los formularios definidos cuando el agente los detecte.

“Following”,

En cuanto a temas de licencia, debemmos definir cual es el servidor de licencias de Password Manager y el tipo de licenciamiento que tenemos contratado. “Following”,

Estos son los métodos para proteger los datos de los credenciales, si queremos protegerlos, o si queremos que los usuarios puedan usar tarjetas inteligentes o certificados cómo método de autenticación y que Password Manager almacene está información, “Following”,

Select the option that interests us, para que cuando un usuario cambia su contraseña por la razón que sea, If we want the password change to require entering the previous one or answering security questions. “Following”,

And since we have also installed the self-service feature, we can choose whether users can change their Windows passwords and if they have a locked account, whether they can unlock it. “Following”,

We must enter the URL of the server that has the key management module (It was the feature for users to authenticate quickly, without having to answer security questions or provide their previous password), Since I installed it on the same server as the other components, I enter the same address in the format: https://SERVER/MPMService on the port 443. “Following”,

Just like the previous module, This is the provisioning one (which allows adding, removing or updating user credentials from the console) we enter the server URL in the following format: https://SERVER/MPMService on the port 443, “Following”,

Comprobamos todo el resumen de la configuración y si estamos de acuerdo pulsamos en “End”. Damos por finalizada la parte de configuración básica de Password Manager, por supuesto que se pueden configurar muchos más parámetros, pero para un funcionamiento básico con esto nos vale.

Instalación y configuración del cliente de Citrix Password Manager (Agent),

Esta parte pertenece sólo a la parte cliente, This is, donde los usuarios ejecutarán sus aplicaciones que les pidan contraseñas, pueden ser sus puestos con Windows XP o directamente servidores con Citrix Presentation Server y es ahí donde ejecutan las aplicaciones. Yo realizaré la instalación sobre un puesto de mi red basado en MS Windows XP Pro.

Así que metemos el CD de Citrix Password Manager e instalamos el cliente en un puesto, Select “Instalar el agente de Password Manager”, otherwise, From the first option, we could create a package to distribute later via Active Directory GPOs and avoid doing it user by user.

We begin the installation, Click on “Following”,

We accept the license, “I accept the license agreement” & “Following”,

We select the agent options, what we want the user to have installed, in this case I will install everything to be able to enjoy all the benefits, “Following”,

We select the type of central store we have on the server side (in our case it's 'Microsoft Active Directory'), “Following”,

We need to enter the URL of the server running Citrix Password Manager Service in the format: https://SERVER/MPMService and the default port 443tcp. “Following”,

Click on “Install” to begin installation…

… we wait while the agent is installed…

GOOD, Click on “End” once the agent is installed,

We must restart for the changes to take effect, So we click on “Yes, I want to”.

Once rebooted, we see that the Logon screen changes and a new button is introduced, that of “Account self-service…” which will allow users to easily change their team passwords and unlock their user account if it is locked. Initially, I don’t show more than that, so we log in as a user and accept.

The Citrix Password Manager agent will open automatically… We wait while it authenticates…

And for the first time, We must register as users by answering the questions set by the administrator for when we want to unlock the account or change the old password. So we click on “Register…”

We start the security questions registration wizard to confirm it’s us when we need a password, “Following”,

We answer the questions they ask us, serían tantas cómo nos haya configurado el administrador y las preguntas que él nos haya puesto para el asistente. Vamos respondiéndolas y “Following”,

Vamos respondiéndolas y “Following”,

Click on “Following” para enviar las respuestas al servidor de PM,

GOOD, Click on “End” para confirmar que se han guardado correctamente las respuestas de los usuarios.

“End”,

Y comprobaremos que se nos queda un icono en la barra de tareas, en principio no lo usaremos.

Now simply, el agente al estár en ejecución, nos saltará siempre que vayamos a introducir unos credenciales para almacenarlos, por ejemplo navegando por una página web, We indicate that “Yes” queremos que Citrix Password Manager recuerde la información de inicio de sesión de esa aplicación.

E introducimos los credenciales para vusar esa aplicación, Click on “End” And the next time we run that application, it will automatically log us in, and the user won't even realize they're signing in thanks to some credentials they used back in the day. Anyway, Is there any other use we can give to Citrix Password Manager that we can see in this short demo? – HERE.

www.bujarra.com – Héctor Herrero – Nh*****@*****ra.com – v 1.0